As a sample i simply used one of the system tools from OS X (/bin/ls) and started fuzzing. I quickly began recording tons of crashes.The most interesting one was this:

And file diff showed something like that:

Its pretty straightforward right ? I checked the modules, and a standard SEH exploit should work for us:

I calculated the offsets:

By now i thought it's over, but first problems started to show when i wanted to substitute my A's and B's with pointers and other non printable characters (e.g. NOPs or INT 3) - Hopper would not crash at all.
Instead of NOPs i could use \x40\x48 which is inc eax, dec eax.

Regarding SEH overwrite i couldn't use short jump so i had to find a pointer that would later assemble to a instruction that wouldn't crash. Fortunately libpng had a nice ascii printable pointer which i could use for pop pop ret.

Next there was a problem with ascii only shellcode. I needed one of the register to point to it, but in case of SEH registers are XOR'ed. I found a solution here. Basically by using multiple POPAD instructions we can get ESP point to our buffer and then return to it.

Now we can just generate our shellcode and place it in the controlled area: